Hacker News new | ask | show | jobs
by dredmorbius 2586 days ago
Sadly, a lot of old-school proxies (squid, privoxy) are stymied by SSL/TLS connections.

I think we're due for the idea that a proxy can be designated as a trusted intermediary, most especially if it's run on a personal basis. I'm sure this presents security issues, but it also avoids some.
1 comments
thaumasiotes 2586 days ago
> I think we're due for the idea that a proxy can be designated as a trusted intermediary, most especially if it's run on a personal basis.

We have that idea now; you designate the proxy as a trusted intermediary by accepting its certificate. The chain looks something like this:

    You: browser, take me to https://youtube.com
    Browser: proxy, get me https://youtube.com
    Proxy: YouTube, get me /
    YouTube: I'm youtube.com -- here's a certificate signed
             by the government of Egypt that proves it. And
             here are the contents of /
    Proxy (to browser): I'm youtube.com -- here's a
                        self-signed certificate attesting to
                        that. And here are the contents of /
    Browser (to user): SECURITY ALERT! SECURITY ALERT!
Configure your browser to accept that certificate, and your proxy can handle its own connection to youtube and just pretend, to your browser, that it is youtube.
link
dredmorbius 2586 days ago
Does Chrome (and other browsers') MITM attack defeat prevent this? That's my understanding.

https://comodosslstore.com/blog/google-chrome-63-will-warn-y...

link
thaumasiotes 2586 days ago
I'm answering based mostly on having read that link. It looks like the protection applies only in the case where an error is being surfaced. The problem Chrome wants to address is that users will click past the SECURITY ALERT.

If you properly configure your own CA, then the TLS error triggering this behavior won't occur, and there is no security problem for Chrome to put its foot down on -- your proxy is providing a valid certificate for whatever domain, as far as Chrome is concerned, not an invalid one.

Compare https://support.portswigger.net/customer/portal/articles/178... .

> The Chrome browser picks up the certificate trust store from your host computer. By installing Burp's CA certificate in your computer’s built-in browser (e.g. Internet Explorer on Windows, or Safari on OS X), Chrome will automatically make use of the certificate.

> When the Burp CA certificate has been installed for your built-in browser, restart Chrome and you should be able to visit any HTTPS URL via Burp without any security warnings.

link
dredmorbius 2586 days ago
Thanks. This is something I've got some plans on.
link